Microsoft to Patch Windows Flaw Next Week

Microsoft has updated its advisory on an unpatched flaw in Windows that hackers are using to embed spyware and other malicious programs on PCs running the company's Windows operating system. Redmond now says it plans to release a patch on Jan. 10 to fix the problem.

This is not that big of a surprise, really. Jan. 10 is the second Tuesday of the month, also known as "Patch Tuesday" -- the day Microsoft regularly issues software patches and updates. (It's also called "Black Tuesday" by system admins who dread the extra hours it takes to test and deploy security patches across thousands of computers).

Had the company not announced plans to issue a patch, that might have been more newsworthy. Given the sheer amount of negative publicity regarding Microsoft's decision to delay releasing the patch for another week, I am willing to bet that the company will switch gears over the next few days and perhaps issue the patch even earlier.

Normally, Microsoft only tells users the Thursday before Black Tuesday how many patches it will issue and what the highest severity rating will be. Microsoft is offering more details in this case because, well, the company wants to make sure everyone knows that it recognizes this is a serious enough threat. Well-respected members of the security community are even urging users not to wait for the patch from Microsoft and to instead install a fix developed by an independent programmer.

The original site where the unofficial patch was posted was quickly knocked offline by massive traffic spikes following a hilarious yet deadly serious post by the SANS Internet Storm Center urging people to download and install the patch. Subsequently, the SANS site itself was also swamped by patch seekers, even after the organization set up a second server to handle all of the requests.

Before you do anything else, it would be a good idea to read this entire post, and then review SANS's frequently asked questions (FAQ) on this vulnerability. If after reading this post and the SANS FAQ, you still want to download and install the unofficial patch, you should be able to retrieve it from this link here. It works on Windows 2000, Windows XP Home and Pro systems, as well as Windows Server 2003.

Windows users also can use the following workaround that should help mitigate the threat from this flaw:

* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

A couple of things to note about the SANS FAQ, which states in part: "If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade."

While it is true that neither the above-mentioned hack nor the unofficial patch will fix the problem on Windows 98 and Windows ME (or for Windows 95 Windows 3.0 for that matter, where this flaw also apparently resides), none of the security experts I've talked to have seen an exploit so far that successfully attacks this flaw on those systems. That said, it may only be a matter of time before attackers figure out a way to use this flaw to target the still-substantial number of Windows 98 and ME users worldwide, who tend to be (flamebait inducing generalization here) among the less experienced and street-smart 'Netizens.

If Microsoft's patch next week does not fix this flaw on Windows 98 and Windows ME -- and the reply to that open question from a Microsoft security response director I spoke with today was not encouraging on that front -- the advice to upgrade or switch to another OS entirely may be the best there is to offer against this threat for those users.

In addition, while this flaw has nothing really to do with Microsoft's Internet Explorer browser, using an alternative browser like Firefox or Opera does help reduce the likelihood that your machine will be compromised by this exploit. That's because Firefox and Opera will ask users to approve a nasty download from a malicious Web site, whereas IE will simply download it without warning.

I keep up with security issues on Windows. I'm running Windows 95 OSR2. Guess what? I'm not even susceptible to this flaw.

These flaws are built in, man made and well they didn't build this flaw into OSR2.

Just for precations I've decided to put the Internet Explorer in offline mode and stay with other browsers.

It is a lot less work making a secure OS out of 9x than it is XP.

I wouldn't take at face value comments implying that Legacy Windows are more susceptible or that the Netizens are less of anything.

If anyone wishes to maintain there is some hole in the Legacy Windows I'd like to know what it is with some specificity.

If you can't state with specificity even one particular hole, I'd say you were just blowing smoke.

Unpatched browser holes are not OS specific. If you are using IE it is not because you have to, it's because you are usinging it over other browsers which are free and arguably a better browsing experience.

I suppose 98 users could just delete shimgvw.dll not use (disassciate) the Explorer or the picture viewer and fax viewer. Turn off active scripting and etc.

What picture viewer and fax viewer? If there was a picture viewer in 98, I missed it. I like IrfanView and it doesn't have the flaw. I guess the author didn't build the flaw into it. Who knows?

My Windows 95 OSR2 is on high speed connection 24/7. Its not getting clobbered around. It's not ever been compromised either.

The Internet is a potentially very hostile network. Personal computer users are by default the network administrators of this network.

Most people are not up to the task of effectively administering their computers on this Network. Not knowing how to make it safe they rely on others like the vendors.

Microsoft as a vendor doesn't deliver safety in its defaults. For example they think the autorun feature should be enabled by default. Next thing you know Sony installs a rootkit.

They think ActiveX scripts marked safe are safe. Next thing you know you have a drive by download.

The provide a firewall with XP and even it enabled, it doesn't give you any power over outbound exchanges and requests.

There is a current trend of thought that tries to sell the idea of upgrade and patch, upgrade and patch, upgrade and patch as some kind of responsible security behavior.

Before accepting this philosophy, I'd like to consider the question, does it work.

Suppose I feel for the line and kept upgrading and patching. Could I surf the Internet safely and play music CDs on my computer without having the system compromised?

The answer is no to both of these questions.

So the solutions is more upgrades and patches? I think not.

My computer can play audio CDs and not get compromised. The reason why has to do with configuration. All the upgrades and patches in the world will not help your computer is configured to leave you open to these exploits.

I can browse the Internet just as safely as XP users with Firefox. There isn't any Firefox security issues which affects Legacy Windows users over and above XP users.

You KNOW, Microsoft will use this flaw to leverage users into buying new software. They will ONLY patch Windows XP, and anyone using Windows 2000 or older, who wants their systems fixed or made more secure will be FORCED to buy WIndows XP.
In alot of cases this will force people to have to buy new hardware.

So far Microsoft has seen surges in sales of Windows XP for every flaw and exploit that has come out. THIS IS VERY WRONG! Microsoft should not be rewarded for poor programming. What's to stop them from deliberately creating flaws and vulnerabilities to increase sales.

The LAW needs to step in and FORCE Microsoft to patch "EVERY" version of Windows that is affected by this flaw... AT NO COST TO THE USER.

I have been virus free for years and years. It's called Mac OS X (and Classic before that). It is a viable alternative to Windows. To a comment posted by "Yeah" Macs are very very serious computers that (in my opinion) far exceed anything that Microsoft has ever made. Before posting "fanboy" comments go and do some research and explain why you don't like them. As for this flaw, there is a permanent fix for all viruses and flaws in Windows......Mac.

"You KNOW, Microsoft will use this flaw to leverage users into buying new software. They will ONLY patch Windows XP, and anyone using Windows 2000 or older, who wants their systems fixed or made more secure will be FORCED to buy WIndows XP."

I think you are right. I'd even go so far as saying they have reasons not to me XP too safe. Their future depends on your perceived need for so-called Trustworthy Computing. If XP was locked down tight would you perceive a need for Trustworthy Computing?

PS this post was produced with Firefox 1.0.7, it seems to work okay :)

To : SchlitzAndGenny ... the first version ( read reason at isc.sans(dot)org is 87,552 bytes. I've forgoten how long tat take by modem. Good luck. [ file hosted on a Mac/deployed to half dozen XP's/ 2 dozen Macs unaffected ]

To : Yeah ... { not a "flame" to others ! } Yep, they sure are. Just like Christmas morning, I like my toys to still be working on New Year's Day. The 128 still boots up on my office credenza ... go figure

What the heck is this shimgvw.dll that we might remove or unregister? It's not even on my Win98 system. This scare-mongering is only a sales pitch. One of the alternatives to Windows, at least for businesses, is OpenVMS. Users like to brag that their uptimes are longer than Microsoft service contracts.

Please stop talking about the Apple Mac's superiority to anything done by microsoft. If more people start using Macs then the viruis writters will change their attention from the crap that Microsoft pushes on the public and turn to attacking Apple systems. While Apple software is vastly superior to anything Microsoft has pushed onto an ignorant public, it can be hacked by some really intelligent hackers who now find the number of Mac users not worth the effort to hack. Please let's keep it that way.

OK, I ran "regsvr32 -u %windir%\system32\shimgvw.dll" and, as expected, I can't use fax viewer and don't see thumbnails. Fine...I can live with that in the short term.

Now let's assume a patch comes out next week. Do I need to re-register this dll? And if so, what is the command syntax?

And do I need to re-register the dll before I accept the Microsoft patch? And will there be unpredictable consequences if the patch is applied while the dll is unregistered, say, for instance, if Microsoft decides to push out the patch to auto-update customers before Tuesday?

I like to be able to build and rebuild computers, swapping hardware, changing out video cards, upgrading bits and pieces, frankensteining boxes out of lonely parts rescued from leftover PCs. While I'm willing to admit fragility on the part of the Microsoft OS, I have little desire to accept the other option - proprietary, locked-down hardware from Apple.

Also, I like my computer mouse to have multiple buttons and not look like a toy or a hockey puck.

For all the supposed advantages to the Mac OS, the apple computers themselves are the real turnoff. I intensely dislike the idea of buying a one-piece unit where the monitor is permanently connected to the actual computer, and the whole unit looks like a silly 1960's lamp.

Andy -- I have covered this in past blog posts, but here it is again. If you want to re-register this DLL, then you may do so by following the same instructions except omitting the /u flag. Here they are:

To your other question, when Microsoft releases this patch, they will have fixed the more basic underlying problem, that with GDI, not this Shimgvw.dll. Which means there should be no need to re-enable the dll before installing the msft patch. Does that answer your question? Clear as mud?

So, if MS is required to patch everything they've ever made, where do we stop? Does GM have to go back and provide upgrades for all the 1950's cars that had weak seatbelt systems? Does Genie have to go back and provide free retrofits for all the old garage door openers suseptible to code scanners?

Does your last boss at the job you quit working at 10 years ago have the right to force you to go back and correct a spreadsheet you put incorrect data into?

I'm tired of so many people claiming their "due" something from a company because they made mistakes or even worse - because something written for an environment that existed years ago no longer works well in todays environment.

Get a clue. Life changes. Stuff isn't perfect. You do the best you can and make the best decision you can, and live with it. If someone is malicously negligent, that's one thing, but it's not what we're talking about here.

I wish the Mac people all the luck in the world too, cause I like the platform. But don't let your guard down guys, cause only an idiot would believe Macs will stay inaffected forever. Hell, I don't think it's too long before automotive systems get complex enough to start being attacked...

I'm getting sick and tired of Windows and its security issues. Granted, I know more about computers and the internet than the average person, but I'm still somewhat inexperienced when it comes to switching from one OS to another. If it was as easy to switch to another OS as it is to switch from one browser like IE to another (Firefox), I would have made the change yesterday.

To Rhonda: It will be very easy to switch to the Macintosh OS, simply because the Mac OS is very simple to use (and very stable). I've been a Mac user since 1991, and I keep looking at my Windows colleagues with great astonishment as they keep wasting time, time, and money with the mediocre Microsoft's Windows every year. Switch to the Mac, and you'll finally start to enjoy using a computer!

Paolo Monti has released a temporary patch for the WMF vulnerability ( see Microsoft Security Bulletin 912840 ). This patch intercepts the Escape GDI32 API in order to filter the SETABORTPROC (function number 9). It uses dynamic API hooks avoiding patching/modifying of the GDI32 code. Advantages of this approach: fully dynamic - no reboot is required.
This patch also works on Windows 9x/ME. Administrator rights are required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided INSTALL.EXE file. Follow the instructions of the installer.

I would like to send you another story of legal abuse with computers
and some links to publications about my criminal case. I worked for
Mitsubishi Electric Automation in Vernon Hills, IL, USA.
My case are getting public attention now as an example
of miscarriage of justice. I could not defend myself,
because I did not have enough money for computer
expert. I was forced to confess for possession of
child porn. I got browser hijackers while browsing the
web. I was redirected to illigal sites against my
will. Some illigal pictures were found on my hard
drive only after
recovering in unallocated clusters, without dates of
files creation/download.
I do not know how can courts press widely on people to
convict them, while whole Internet is a mess.

This is my story in inquisition21.com. There is all
information about case written by Irish writer Brian
Rothery.

I have downloaded and installed the patch as you suggested. However, I've since been told that I should have waited for the MS patch, ok.
BUT, how will I be able to uninstall this patch when MS issues its own patch on Tuesday. Or, what will happen if I leave the third-party patch on my computer?

Unfortunately, I've had this nasty problem on my machine for almost a week now. Can someone please educate me on whether there's a difference between patches and fixes. Earlier I downloaded the recommended (but non-Microsoft) patch, and it's done nothing to rid me of my spyware background screen. I'm guessing the patch only prevents it from happening to you. What do you do if it's already happened? Will Microsoft's solution help the already infected? Do I need to wipe the drive clean and start over. Someone please advise.

Unfortunately, I've had this nasty problem on my machine for almost a week now. Can someone please educate me on whether there's a difference between patches and fixes? Earlier I downloaded the recommended (but non-Microsoft) patch, and it's done nothing to rid me of my spyware background screen. I'm guessing the patch only prevents it from happening to you. What do you do if it's already happened? Will Microsoft's solution help the already infected? Do I need to wipe the drive clean and start over? Someone please advise.

In partial answer to the questions posted below. The patch won't get rid of any spyware or trojan infections. It won't prevent them either, except if they are being delivered via the .wmf exploit.

You will have to identify what particular spyware or trojan or virus or whatever you have is. I guess if it were me, I'd try installing the free version of ad-aware and run a scan. If it didn't show anything I'd install some free anti-virus software and scan for viruses. Why free? Because I like free :)

Determina (www.determina.com) advocates a vulnerability-based approach. They concentrate on all memory-based vulnerabilities, rather than a subset of exploits (e.g. WMF). According to their 12/28 advisory (http://www.determina.com/advisories/determinaDecember2005_4.html), users have been protected from WMF with no (official or unofficial) patch necessary.

like i give a hoot about time-wasting bunk. i learned windows once; why pay for more crap? name one thing missing with 98/me except skype. i'll do vista in two years --unless its as suck heavy as xp AND there's a linux alternative i can learn in a week. 50 bucks every ten years seems right/

give me firefox and web storage and let the hackers fatten their resumes and the NonSentientAdvocates listen in

WhatanIdiot, I case you are interested and I think you are, I'm still not conviced that Windows 98 is susceptible to this .wfm flaw, inspite of the fact that it has been published by many as susceptible.

I searched a 98SE computer a few minutes ago and shimgvw.dll isn't even on the computer.

I'm fairly non-religious about computers, and have/will used/use just about anything cybernian. Thus my amusement whenever the Mac sheep begin their hypnotic moonie "our toys are better, thus we are better" bleating. Yeah is correct in his analyses of this borgian phenomenon.

Anyone thinking Microsoft might do something for Windows 98/Me is going to be disappointed. This is what is on Microsoft's site "Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates."
Microsoft do seem to prefer not to want to bolt stable doors until the horse has bolted.

Listen, I'm sick to death of people complaining about people who are "still" using Windows 98. I happen to agree with you but you seem to have forgotten that upgrading co$t$ money. Peraphs, as you are so wealthy and able to throw out oddles of cash every few years simply to 'upgrade' you would be so kind as to send me some money. Basically, to upgrade from Win 98 you need to by new hardware before you buy a new OS. Anybody who suggests upgrading to Windows XP has, speaking figuritivly, a hole in the head because the successor to Windows XP (ie. Windows Vista) is coming out this year. These companies make all their money by 'forcing' people to upgrade. Exactly how long do you think before Windows XP Home edition is going to be abandoned by Microsoft?! An article I read says that although Windows Professional Edition will be supported for several years to come, that aint true for Win XP Home. And seriously, why should I spend $200 Cdn. to buy the full edition of Windows XP Home when it wont be supported much longer?! Certainly I'm not spending $400 Cdn for Windows Professtional. And forget the Windows XP upgrade packs! That's highway robbery! Why should I pay for a 'crippled' operating system when I should be able to buy the full OS at a decent price?! Capitalism without a councious is going destroy humanity. We want people to act like machines and machines to act like people. ... Ok, so those last two sentenses were a little off topic but, well, anyway, I'm venting and so there! These are my thoughts at this moment.

Problem with the MS patch? My online banking will not remember my sign-on number, even if I reenter it and check the "remember this" box. BofA says the problem is that IE makes some errors during shutdown. Microsoft says don't come crying to me, call Dell. anyone else have this? Anyone have a fix? Changing privacy settings didn't help.